b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nSpecial Report\n\n\n\n       Fiscal Year 2008\n       Federal Information Security\n       Management Act Report\n\n       Status of EPA\xe2\x80\x99s Computer Security Program\n\n\n       Report No. 08-P-0280\n\n       September 26, 2008\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                      OFFICE OF\n                                                                                 INSPECTOR GENERAL\n\n\n\n                                       September 26, 2008\n\nMEMORANDUM\n\nSUBJECT:\t             Fiscal Year 2008 Federal Information\n                      Security Management Act Report:\n                      Status of EPA\xe2\x80\x99s Computer Security Program\n                      Report No. 08-P-0280\n\n\nFROM:\t                Patricia H. Hill\n                      Assistant Inspector General for Mission Systems\n\nTO:                   Stephen L. Johnson\n                      Administrator\n\n\nAttached is the Office of Inspector General\xe2\x80\x99s Fiscal Year 2008 Federal Information Security\nManagement Act Reporting Template, as prescribed by the Office of Management and Budget.\nThis audit was performed by Williams, Adley and Company, LLP, under the direction of the\nU.S. Environmental Protection Agency\xe2\x80\x99s Office of Inspector General. In addition, Appendix A\nsynopsizes the results of our significant Fiscal Year 2008 information security audits.\n\nThe estimated cost for performing this audit, which includes contract costs and Office of\nInspector General contract management oversight, is $388,135.\n\nIn accordance with Office of Management and Budget reporting instructions, I am forwarding\nthis report to you for submission, along with the Agency\xe2\x80\x99s required information, to the Director,\nOffice of Management and Budget.\n\x0c                                                Section C - Inspector General: Questions 1 and 2\nAgency Name:          Environmental Protection Agency                                                    Submission date:            September 25, 2008\n                                                           Question 1: FISMA Systems Inventory\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS\n199 system impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all\nComponent/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by\na contractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor\nsystems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency;\ntherefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service\nprovider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                         Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number\nand percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a\ncontingency plan tested in accordance with policy.\n\n                                                                     Question 1                                                 Question 2\n                                                  a.                     b.                   c.                a.                    b.                c.\n                                            Agency Systems       Contractor Systems    Total Number of      Number of            Number of         Number of\n                                                                                          Systems        systems certified   systems for which systems for which\n                                                                                        (Agency and       and accredited      security controls contingency plans\n                                                                                         Contractor                           have been tested have been tested\n                                                                                          systems)                            and reviewed in in accordance with\n                                                                                                                                the past year         policy\n\n\n\n                                                                                                  Total\n                      FIPS 199 System                 Number                 Number     Total              Total   Percent Total   Percent Total   Percent\nU.S. Environmental                         Number                Number                          Number\n                      Impact Level                   Reviewed               Reviewed   Number             Number of Total Number of Total Number of Total\nProtection Agency                                                                               Reviewed\nOA                    High                       0           0          0          0        0           0        0               0               0\n                      Moderate                   2           0          0          0        2           0        0               0               0\n                      Low                        1           0          0          0        1           0        0               0               0\n                      Not Categorized            0           0          0          0        0           0        0               0               0\n                      Sub-total                  3           0          0          0        3           0        0               0               0\nOAR                   High                       1           0          0          0        1           0        0               0               0\n                      Moderate                  11           1          1          0       12           1        1   100%        0      0%       1   100%\n                      Low                        6           0          1          0        7           0        0               0               0\n                      Not Categorized            0           0          0          0        0           0        0               0               0\n                      Sub-total                 18           1          2          0       20           1        1   100%        0      0%       1   100%\nOARM                  High                       0           0          0          0        0           0        0               0               0\n                      Moderate                  11           0          2          1       13           1        1   100%        1   100%        1   100%\n                      Low                        0           0          0          0        0           0        0               0               0\n                      Not Categorized            0           0          0          0        0           0        0               0               0\n                      Sub-total                 11           0          2          1       13           1        1   100%        1   100%        1   100%\nOCFO                  High                       0           0          0          0        0           0        0               0               0\n                      Moderate                  18           1          0          0       18           1        1   100%        1   100%        1   100%\n                      Low                        1           0          0          0        1           0        0               0               0\n                      Not Categorized            0           0          0          0        0           0        0               0               0\n                      Sub-total                 19           1          0          0       19           1        1   100%        1   100%        1   100%\nOECA                  High                       0           0          0          0        0           0        0               0               0\n                      Moderate                   8           1          0          0        8           1        1   100%        1   100%        1   100%\n                      Low                        3           1          0          0        3           1        1   100%        0      0%       1   100%\n                      Not Categorized            0           0          0          0        0           0        0               0               0\n                      Sub-total                 11           2          0          0       11           2        2   100%        1     50%       2   100%\nOEI                   High                       0           0          0          0        0           0        0               0               0\n                      Moderate                  16           0          6          1       22           1        1   100%               0%       1   100%\n                      Low                       16           1          3          0       19           1        1   100%        1   100%        1   100%\n                      Not Categorized            0           0          0          0        0           0        0               0               0\n                      Sub-total                 32           1          9          1       41           2        2   100%        1     50%       2   100%\nOGC                   High                       0           0          0          0        0           0        0               0               0\n                      Moderate                   1           0          0          0        1           0        0               0               0\n                      Low                        0           0          0          0        0           0        0               0               0\n                      Not Categorized            0           0          0          0        0           0        0               0               0\n                      Sub-total                  1           0          0          0        1           0        0               0               0\n\n\n\n\n                                                                                  1\n\x0c                                                Section C - Inspector General: Questions 1 and 2\nAgency Name:          Environmental Protection Agency                                                        Submission date:                September 25, 2008\n                                                           Question 1: FISMA Systems Inventory\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS\n199 system impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all\nComponent/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by\na contractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor\nsystems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency;\ntherefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service\nprovider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                         Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number\nand percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a\ncontingency plan tested in accordance with policy.\n\n                                                                     Question 1                                                      Question 2\n                                                  a.                     b.                   c.                    a.                     b.                c.\n                                            Agency Systems       Contractor Systems    Total Number of          Number of             Number of         Number of\n                                                                                          Systems            systems certified    systems for which systems for which\n                                                                                        (Agency and           and accredited       security controls contingency plans\n                                                                                         Contractor                                have been tested have been tested\n                                                                                          systems)                                 and reviewed in in accordance with\n                                                                                                                                     the past year         policy\n\n\n\n                                                                                                  Total\n                      FIPS 199 System                 Number                 Number     Total                 Total    Percent     Total     Percent     Total   Percent\nU.S. Environmental                         Number                Number                          Number\n                      Impact Level                   Reviewed               Reviewed   Number                Number    of Total   Number     of Total   Number   of Total\nProtection Agency                                                                               Reviewed\nOIA                   High                       0           0          0          0        0            0         0                     0                   0\n                      Moderate                   0           0          0          0        0            0         0                     0                   0\n                      Low                        0           0          0          0        0            0         0                     0                   0\n                      Not Categorized            0           0          0          0        0            0         0                     0                   0\n                      Sub-total                  0           0          0          0        0            0         0                     0                   0\nOIG                   High                       0           0          0          0        0            0         0                     0                   0\n                      Moderate                   7           0          0          0        7            0         0                     0                   0\n                      Low                        0           0          0          0        0            0         0                     0                   0\n                      Not Categorized            0           0          0          0        0            0         0                     0                   0\n                      Sub-total                  7           0          0          0        7            0         0                     0                   0\nOPPTS                 High                       0           0          0          0        0            0         0                     0                   0\n                      Moderate                   6           1          1          0        7            1         1      100%           1      100%         1      100%\n                      Low                        1           0          0          0        1            0         0                     0                   0\n                      Not Categorized            0           0          0          0        0            0         0                     0                   0\n                      Sub-total                  7           1          1          0        8            1         1      100%           1      100%         1      100%\nORD                   High                       0           0          0          0        0            0         0                     0                   0\n                      Moderate                   7           0          0          0        7            0         0                     0                   0\n                      Low                        8           0          0          0        8            0         0                     0                   0\n                      Not Categorized            0           0          0          0        0            0         0                     0                   0\n                      Sub-total                 15           0          0          0       15            0         0                     0                   0\nOSWER                 High                       0           0          0          0        0            0         0                     0                   0\n                      Moderate                   4           1          1          0        5            1         1      100%           1      100%         1      100%\n                      Low                        4           0          1          0        5            0         0                     0                   0\n                      Not Categorized            0           0          0          0        0            0         0                     0                   0\n                      Sub-total                  8           1          2          0       10            1         1      100%           1      100%         1      100%\nOW                    High                       0           0          0          0        0            0         0                     0                   0\n                      Moderate                   8           0          0          0        8            0         0                     0                   0\n                      Low                        0           0          0          0        0            0         0                     0                   0\n                      Not Categorized            0           0          0          0        0            0         0                     0                   0\n                      Sub-total                  8           0          0          0        8            0         0                     0                   0\nR01                   High                       0           0          0          0        0            0         0                     0                   0\n                      Moderate                   1           1          0          0        1            1         1      100%           0        0%         1      100%\n                      Low                        0           0          0          0        0            0         0                     0                   0\n                      Not Categorized            0           0          0          0        0            0         0                     0                   0\n                      Sub-total                  1           1          0          0        1            1         1      100%           0        0%         1      100%\n\n\n\n\n                                                                                  2\n\x0c                                                Section C - Inspector General: Questions 1 and 2\nAgency Name:          Environmental Protection Agency                                                        Submission date:                September 25, 2008\n                                                            Question 1: FISMA Systems Inventory\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS\n199 system impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all\nComponent/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by\na contractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor\nsystems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency;\ntherefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service\nprovider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                         Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number\nand percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a\ncontingency plan tested in accordance with policy.\n\n                                                                     Question 1                                                      Question 2\n                                                  a.                     b.                   c.                    a.                     b.                c.\n                                            Agency Systems       Contractor Systems    Total Number of          Number of             Number of         Number of\n                                                                                          Systems            systems certified    systems for which systems for which\n                                                                                        (Agency and           and accredited       security controls contingency plans\n                                                                                         Contractor                                have been tested have been tested\n                                                                                          systems)                                 and reviewed in in accordance with\n                                                                                                                                     the past year         policy\n\n\n\n                                                                                                  Total\n                      FIPS 199 System                  Number                Number     Total                 Total    Percent     Total     Percent     Total   Percent\nU.S. Environmental                         Number                Number                          Number\n                      Impact Level                    Reviewed              Reviewed   Number                Number    of Total   Number     of Total   Number   of Total\nProtection Agency                                                                               Reviewed\nR02                   High                        0          0          0          0        0            0         0                     0                   0\n                      Moderate                    2          0          0          0        2            0         0                     0                   0\n                      Low                         0          0          0          0        0            0         0                     0                   0\n                      Not Categorized             0          0          0          0        0            0         0                     0                   0\n                      Sub-total                   2          0          0          0        2            0         0                     0                   0\nR03                   High                        0          0          0          0        0            0         0                     0                   0\n                      Moderate                    1          0          0          0        1            0         0                     0                   0\n                      Low                         0          0          0          0        0            0         0                     0                   0\n                      Not Categorized             0          0          0          0        0            0         0                     0                   0\n                      Sub-total                   1          0          0          0        1            0         0                     0                   0\nR04                   High                        0          0          0          0        0            0         0                     0                   0\n                      Moderate                    1          0          0          0        1            0         0                     0                   0\n                      Low                         0          0          0          0        0            0         0                     0                   0\n                      Not Categorized             0          0          0          0        0            0         0                     0                   0\n                      Sub-total                   1          0          0          0        1            0         0                     0                   0\nR05                   High                        0          0          0          0        0            0         0                     0                   0\n                      Moderate                    2          0          0          0        2            0         0                     0                   0\n                      Low                         1          0          0          0        1            0         0                     0                   0\n                      Not Categorized             0          0          0          0        0            0         0                     0                   0\n                      Sub-total                   3          0          0          0        3            0         0                     0                   0\nR06                   High                        0          0          0          0        0            0         0                     0                   0\n                      Moderate                    1          0          0          0        1            0         0                     0                   0\n                      Low                         0          0          0          0        0            0         0                     0                   0\n                      Not Categorized             0          0          0          0        0            0         0                     0                   0\n                      Sub-total                   1          0          0          0        1            0         0                     0                   0\nR07                   High                        0          0          0          0        0            0         0                     0                   0\n                      Moderate                    1          0          0          0        1            0         0                     0                   0\n                      Low                         0          0          0          0        0            0         0                     0                   0\n                      Not Categorized             0          0          0          0        0            0         0                     0                   0\n                      Sub-total                   1          0          0          0        1            0         0                     0                   0\nR08                   High                        0          0          0          0        0            0         0                     0                   0\n                      Moderate                    1          0          0          0        1            0         0                     0                   0\n                      Low                         1          0          0          0        1            0         0                     0                   0\n                      Not Categorized             0          0          0          0        0            0         0                     0                   0\n                      Sub-total                   2          0          0          0        2            0         0                     0                   0\n\n\n\n\n                                                                                  3\n\x0c                                                Section C - Inspector General: Questions 1 and 2\nAgency Name:          Environmental Protection Agency                                                      Submission date:                 September 25, 2008\n                                                            Question 1: FISMA Systems Inventory\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS\n199 system impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all\nComponent/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by\na contractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor\nsystems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency;\ntherefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service\nprovider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                         Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number\nand percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a\ncontingency plan tested in accordance with policy.\n\n                                                                     Question 1                                                     Question 2\n                                                  a.                     b.                  c.                   a.                      b.                c.\n                                            Agency Systems       Contractor Systems   Total Number of         Number of              Number of         Number of\n                                                                                         Systems           systems certified     systems for which systems for which\n                                                                                       (Agency and          and accredited        security controls contingency plans\n                                                                                        Contractor                                have been tested have been tested\n                                                                                         systems)                                 and reviewed in in accordance with\n                                                                                                                                    the past year         policy\n\n\n\n                                                                                                  Total\n                      FIPS 199 System                 Number                Number     Total                Total     Percent     Total     Percent     Total   Percent\nU.S. Environmental                         Number                Number                          Number\n                      Impact Level                   Reviewed              Reviewed   Number               Number     of Total   Number     of Total   Number   of Total\nProtection Agency                                                                               Reviewed\nR09                   High                       0           0         0          0         0          0         0                      0                   0\n                      Moderate                   1           0         1          0         2          0         0                      0                   0\n                      Low                        0           0         0          0         0          0         0                      0                   0\n                      Not Categorized            0           0         0          0         0          0         0                      0                   0\n                      Sub-total                  1           0         1          0         2          0         0                      0                   0\nR10                   High                       0           0         0          0         0          0         0                      0                   0\n                      Moderate                   0           0         0          0         0          0         0                      0                   0\n                      Low                        1           0         0          0         1          0         0                      0                   0\n                      Not Categorized            0           0         0          0         0          0         0                      0                   0\n                      Sub-total                  1           0         0          0         1          0         0                      0                   0\nAgency Totals         High                       1           0         0          0         1          0         0                      0                   0\n                      Moderate                 110           6        12          2       122          8         8       100%           5       63%         8      100%\n                      Low                       43           2         5          0        48          2         2       100%           1       50%         2      100%\n                      Not Categorized            0           0         0          0         0          0         0                      0                   0\n                      Total                    154           8        17          2       171         10        10       100%           6       60%        10      100%\n                                          = Data Entry Cells\n                                          = Editable Calculations (no Data Entry-ONLY edit Formulas when necessary)\n\n\n\n\n                                                                                  4\n\x0c                                             Section C - Inspector General: Question 3\nAgency Name:    Environmental Protection Agency\n               Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n      3.a.      The agency performs oversight and evaluation to ensure information systems used or operated by\n                a contractor of the agency or other organization on behalf of the agency meet the requirements of\n                FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n                Agencies are responsible for ensuring the security of information systems used by a contractor of their\n                agency or other organization on behalf of their agency; therefore, self reporting by contractors does not\n                meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service\n                provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA            Mostly (81-95% of the\n                compliance.                                                                                                   time)\n\n                Response Categories:\n                 - Rarely- for example, approximately 0-50% of the time\n                 - Sometimes- for example, approximately 51-70% of the time\n                 - Frequently- for example, approximately 71-80% of the time\n                 - Mostly- for example, approximately 81-95% of the time\n                 - Almost Always- for example, approximately 96-100% of the time\n\n                The agency has developed a complete inventory of major information systems (including major\n      3.b.      national security systems) operated by or under the control of such agency, including an\n                identification of the interfaces between each such system and all other systems or networks,\n                including those not operated by or under the control of the agency.\n                                                                                                                              Inventory is 96-100%\n                Response Categories:\n                                                                                                                              complete\n                 - The inventory is approximately 0-50% complete\n                 - The inventory is approximately 51-70% complete\n                 - The inventory is approximately 71-80% complete\n                 - The inventory is approximately 81-95% complete\n                 - The inventory is approximately 96-100% complete\n\n      3.c.      The IG generally agrees with the CIO on the number of agency-owned systems. Yes or No.                                  Yes\n\n                The IG generally agrees with the CIO on the number of information systems used or operated by a\n      3.d.                                                                                                                              Yes\n                contractor of the agency or other organization on behalf of the agency. Yes or No.\n\n      3.e.      The agency inventory is maintained and updated at least annually. Yes or No.                                            Yes\n\n                If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known missing systems\n      3.f.      by Component/Bureau, the Unique Project Identifier (UPI) associated with the system as presented in your FY2008 Exhibit\n                53 (if known), and indicate if the system is an agency or contractor system.\n\n                                                                                                  Exhibit 53 Unique Project\n                                                                                                                                Agency or Contractor\n                              Component/Bureau                            System Name                  Identifier (UPI)\n                                                                                                                                     system?\n                                                                                                    {must be 23-digits}\n\n\n\n\n                Number of known systems missing from\n                                                                0\n                inventory:\n                                                                = Data Entry Cells\n\n\n                                                                         5\n\x0c                                                   Section C - Inspector General: Questions 4 and 5\nAgency Name:         Environmental Protection Agency\n                                     Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process. Evaluate\nthe degree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or necessary, include\ncomments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n                    The POA&M is an agency-wide process, incorporating all known IT security weaknesses associated with information\n                                                                                                                                                    Almost Always (96-\n        4.a.        systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the\n                                                                                                                                                    100% of the time)\n                    agency.\n                     When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system)                Almost Always (96-\n        4.b.\n                     develop, implement, and manage POA&Ms for their system(s).                                                                     100% of the time)\n                     Program officials and contractors report their progress on security weakness remediation to the CIO on a regular basis Almost Always (96-\n        4.c.\n                     (at least quarterly).                                                                                                  100% of the time)\n\n                                                                                                                                                    Almost Always (96-\n        4.d.         Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.\n                                                                                                                                                    100% of the time)\n                                                                                                                                                    Almost Always (96-\n        4.e.         IG findings are incorporated into the POA&M process.\n                                                                                                                                                    100% of the time)\n                     POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in Almost Always (96-\n        4.f.\n                     a timely manner and receive appropriate resources.                                                                  100% of the time)\n                     EPA has developed and implemented a POA&M program that ensures CIO reports on a regular basis the security weaknesses and remediation at least\n POA&M process       quarterly. The processes and procedures ensures OEI tracks, maintains, and reviews POA&M activities on a quarterly basis for weaknesses reported by\n   comments:         EPA.\n\n\n                                          Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Provide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for\ncertification and accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and\nInformation Systems" (February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk assessments\nand security plans.\n\n                     The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                     Response Categories:\n                      - Excellent\n        5.a.                                                                                                                                        Good\n                      - Good\n                      - Satisfactory\n                      - Poor\n                      - Failing\n\n                     The IG\'s quality rating included or considered the following aspects of the                Security plan                                  X\n                     C&A process: (check all that apply)\n                                                                                                              System impact level                              X\n                                                                                                              System test and evaluation\n                                                                                                              Security control testing                         X\n        5.b.\n                                                                                                              Incident handling\n                                                                                                              Security awareness training\n                                                                                                              Configurations/patching\n                                                                                                              Other:\n   C&A process       From our sample of 10 systems all had C&A documents. However 4 out of 10 did not provide security test results.\n    comments:\n\n\n\n\n                                                                                     6\n\x0c                                            Section C - Inspector General: Questions 6, 7, and 8\nAgency Name:   Environmental Protection Agency\n                     Question 6-7: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n               Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA) process, as discussed in\n       6       Section D Question #5 (SAOP reporting template), including adherence to existing policy, guidance, and\n               standards.\n\n               Response Categories:\n                - Response Categories:                                                                                                          Excellent\n                - Excellent\n                - Good\n                - Satisfactory\n                - Poor\n                - Failing\n\n\nComments:\n\n\n\n       7       Provide a qualitative assessment of the agency\xe2\x80\x99s progress to date in implementing the provisions of M-07-16\n               Safeguarding Against and Responding to the Breach of Personally Identifiable Information.\n\n               Response Categories:\n                - Response Categories:\n                                                                                                                                                Excellent\n                - Excellent\n                - Good\n                - Satisfactory\n                - Poor\n                - Failing\n\n               EPA is in the process of implementing program. Policies have been drafted. Procedures have been developed and implemented. Training is being provided.\nComments:\n\n\n                                                         Question 8: Configuration Management\n\n      8.a.     Is there an agency-wide security configuration policy? Yes or No.                                                                Yes\nComments:\n               Approximate the extent to which applicable systems implement common security configurations, including\n      8.b.\n               use of common security configurations available from the National Institute of Standards and Technology\xe2\x80\x99s\n                                                                                                                                                Mostly (81-95% of the\n               website at http://checklists.nist.gov.\n                                                                                                                                                time)\n               Response categories:\n\n                -   Rarely- for example, approximately 0-50% of the time\n                -   Sometimes- for example, approximately 51-70% of the time\n                -   Frequently- for example, approximately 71-80% of the time\n                -   Mostly- for example, approximately 81-95% of the time\n                -   Almost Always- for example, approximately 96-100% of the time\nComments:\n               EPA should take additional steps to ensure that network configurations are maintained. Our tests disclosed security patches and updates on network resouces\n               were not always timely installed.\n\n\n      8.c.     Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report:\n\n\n               c.1. Agency has adopted and implemented FDCC standard configurations and has documented deviations.\n                                                                                                                                                Yes\n               Yes or No.\n\n               c.2 New Federal Acquisition Regulation 2007-004 language, which modified "Part 39\xe2\x80\x94Acquisition of\n                                                                                                                                                Yes\n               Information Technology", is included in all contracts related to common security settings. Yes or No.\n\n\n               c.3 All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or No. No\n\n\n\n\n                                                                                 7\n\x0c                                            Section C - Inspector General: Questions 9, 10 and 11\nAgency Name:        Environmental Protection Agency\n                                                             Question 9: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law enforcement.\nIf appropriate or necessary, include comments in the area provided below.\n\n                    The agency follows documented policies and procedures for identifying and reporting incidents internally.\n        9.a.                                                                                                                        Yes\n                    Yes or No.\n                    The agency follows documented policies and procedures for external reporting to US-CERT. Yes or No.\n        9.b.                                                                                                                        Yes\n                    (http://www.us-cert.gov)\n\n        9.c.        The agency follows documented policies and procedures for reporting to law enforcement. Yes or No.              Yes\n\nComments:\n                                                     Question 10: Security Awareness Training\nHas the agency ensured security awareness training of all employees, including contractors and those employees with significant\nIT security responsibilities?\n\nResponse Categories:\n                                                                                                                                    Almost Always (96-\n - Rarely- or approximately 0-50% of employees\n                                                                                                                                    100% of employees)\n - Sometimes- or approximately 51-70% of employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n                                     Question 11: Collaborative Web Technologies and Peer-to-Peer File Sharing\n\nDoes the agency explain policies regarding the use of collaborative web technologies and peer-to-peer file sharing in IT security\n                                                                                                                                    Yes\nawareness training, ethics training, or any other agency-wide training? Yes or No.\n\n                                                   Question 12: E-Authentication Risk Assessments\n12.a. Has the agency identified all e-authentication applications and validated that the applications have operationally achieved\nthe required assurance level in accordance with the NIST Special Publication 800-63, \xe2\x80\x9cElectronic Authentication Guidelines\xe2\x80\x9d? Yes Yes\nor No.\n12.b. If the response is \xe2\x80\x9cNo\xe2\x80\x9d, then please identify the systems in which the agency has not\nimplemented the e-authentication guidance and indicate if the agency has a planned date of\nremediation.\n\n\n\n\n                                                                             8\n\x0c                                                                                 Appendix A\n\n        Summary of Significant Fiscal Year 2008\n              Security Control Audits\nDuring Fiscal Year 2008, the U.S. Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) Office of\nInspector General (OIG) initiated the following audits of EPA\xe2\x80\x99s information technology security\nprogram and information systems. The following synopsizes key findings.\n\n1. Supplemental Fiscal 2007 FISMA Audit Results: \tOIG Results of EPA\xe2\x80\x99s Efforts\n   to Protect PII and Contractor Results of EPA Standard Configuration\n   Documents\xe2\x80\x99 Compliance with Federal Guidance or Industry Best Practices\n   Assignment No. 2007-000802, December 20, 2007\n\n   EPA needs to (1) issue a memo to Senior Information Officers to remind them of the\n   Agency\xe2\x80\x99s policy requirements for protecting personally identifiable information and the need\n   to reiterate and reinforce compliance with the Agency policy, and (2) complete efforts to\n   publish the Privacy Program procedures related to the Privacy Program policy.\n\n   EPA concurred with the recommendations and subsequently implemented corrective actions\n   to adequately address the report recommendations.\n\n\n2. Review of the Quality of Self-Reported Security Information in EPA\xe2\x80\x99s\n   Automated Security Self-Evaluation and Remediation Tracking (ASSERT)\n   System, Assignment No. 2008-0003\n\n   The primary objective of this assignment is to determine whether EPA has implemented\n   effective management control processes for maintaining the quality of the data in EPA\xe2\x80\x99s\n   ASSERT system. The OIG plans to issue a final report by December 2008.\n\n\n\n\n                                               9\n\x0c                                                                               Appendix B\n\n                                    Distribution\n\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nDirector, Office of Technology Operations and Planning, Office of Environmental Information\nSenior Agency Information Security Officer, Office of Environmental Information\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nOffice of General Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nDeputy Inspector General\n\n\n\n\n                                              10\n\x0c'